Privacy Policy

Effective date: 29 March 2026 — Last updated: 29 March 2026

1. Introduction

Hypothesi Ltd, trading as Delta Forge ("we", "us", "our"), is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the Delta Forge platform, visit our website at deltaforge.io, or otherwise interact with our services.

Delta Forge is a PostgreSQL-compatible data platform for Delta Lake. This policy applies to all users of our platform, website visitors, and prospective customers.

For the purposes of applicable data protection legislation (including the UK General Data Protection Regulation ("UK GDPR"), the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"), and the Data Protection Act 2018), the data controller is:

Hypothesi Ltd (trading as Delta Forge)
Registered in England and Wales
Email: privacy@deltaforge.io

2. Data Protection Officer

We have appointed a Data Protection Officer ("DPO") who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this policy or our data protection practices, please contact our DPO at:

Data Protection Officer
Hypothesi Ltd
Email: privacy@deltaforge.io

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Account Registration Data

When you register for a Delta Forge account, we collect:

• Full name
• Email address
• Telephone number
• Company or organisation name
• Password (stored in hashed form only; we never store plaintext passwords)

3.2 Device Activation Data

When you activate Delta Forge on a device, we collect:

• Device fingerprint
• Machine identifier
• Hostname
• Operating system and version
• System architecture

3.3 Usage and Metering Data

To operate, bill, and improve the platform, we collect the following usage metrics:

• Delta Forge Compute Units ("DFCU") consumed
• Number of queries executed
• Active node count
• Bytes read and written
• Rows processed

3.4 Session and Security Data

To maintain the security of your account, we collect:

• Session token hashes
• IP addresses
• Last-used timestamps for each session

3.5 Licence and Audit Data

We maintain an audit trail of all licence-related operations, including:

• Licence activation and deactivation events
• Licence key assignments and transfers
• Compliance and enforcement actions

3.6 Communications Data

When you contact us or we send you service-related communications, we may process your email address and the content of those communications.

4. Lawful Bases for Processing

We rely on the following lawful bases under Article 6 of the UK GDPR and EU GDPR to process your personal data:

Purpose	Lawful Basis
Providing and operating the Delta Forge platform	Performance of a contract (Art. 6(1)(b))
Account creation and authentication	Performance of a contract (Art. 6(1)(b))
Device activation and licence management	Performance of a contract (Art. 6(1)(b))
Metering, billing, and usage analytics	Legitimate interests (Art. 6(1)(f))
Security monitoring and fraud prevention	Legitimate interests (Art. 6(1)(f))
Maintaining audit logs for compliance	Legal obligation (Art. 6(1)(c)) / Legitimate interests (Art. 6(1)(f))
Sending transactional emails (e.g., verification)	Performance of a contract (Art. 6(1)(b))
Responding to support requests	Legitimate interests (Art. 6(1)(f))

Where we rely on legitimate interests, we have conducted a balancing test to ensure that your interests, rights, and freedoms do not override those interests. You may request details of these assessments by contacting our DPO.

5. How We Use Your Data

We use the personal data we collect for the following purposes:

1. To create, maintain, and secure your account;
2. To provide, operate, and maintain the Delta Forge platform;
3. To authenticate your identity and manage device activations;
4. To monitor usage, meter consumption, and generate invoices;
5. To detect, prevent, and respond to security incidents, fraud, and abuse;
6. To send you transactional communications, including email verification, password resets, and service alerts;
7. To maintain audit trails for regulatory and compliance purposes;
8. To respond to your enquiries and provide customer support;
9. To comply with applicable legal obligations.

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We share your data only with the following categories of recipients, each acting as a data processor under a written data processing agreement:

6.1 Email Service Providers

We use third-party email delivery services (such as Resend or SendGrid) to send verification emails and transactional communications. These processors receive your email address and name solely for the purpose of delivering messages on our behalf.

6.2 Cloud Infrastructure Providers

Your data is hosted on infrastructure provided by Microsoft Azure or Amazon Web Services, depending on your deployment configuration. These providers act as sub-processors and are subject to appropriate contractual safeguards.

6.3 Legal and Regulatory Disclosures

We may disclose your personal data where required to do so by law, regulation, or legal process, or where we reasonably believe disclosure is necessary to:

• Comply with applicable law or respond to valid legal requests;
• Protect the rights, property, or safety of Hypothesi Ltd, our users, or the public;
• Enforce our Terms of Service.

7. International Transfers

Your personal data may be transferred to and processed in countries outside the United Kingdom and the European Economic Area ("EEA"). Where such transfers occur, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses ("SCCs") approved by the European Commission or the UK Information Commissioner's Office ("ICO"), as applicable;
• Adequacy decisions issued by the European Commission or the UK Secretary of State;
• Other lawful transfer mechanisms as permitted by applicable data protection law.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our specific retention periods are as follows:

Data Category	Retention Period
Account registration data	Duration of account plus 30 days after deletion
Device activation data	Until device is deactivated or account is deleted
Usage and metering data	24 months from collection
Session data	Duration of session plus 90 days
Licence audit trail	7 years (regulatory compliance)
Support correspondence	24 months from last interaction

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised.

9. Your Rights

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

1. Right of access — You have the right to request a copy of the personal data we hold about you (Article 15).
2. Right to rectification — You have the right to request correction of inaccurate or incomplete personal data (Article 16).
3. Right to erasure — You have the right to request deletion of your personal data where there is no compelling reason for its continued processing (Article 17).
4. Right to restriction of processing — You have the right to request that we restrict the processing of your personal data in certain circumstances (Article 18).
5. Right to data portability — You have the right to receive your personal data in a structured, commonly used, and machine-readable format (Article 20).
6. Right to object — You have the right to object to processing based on legitimate interests or for direct marketing purposes (Article 21).
7. Rights related to automated decision-making — You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you (Article 22).

To exercise any of these rights, please contact us at privacy@deltaforge.io. We will respond to your request within one month of receipt. In complex cases, we may extend this period by up to two additional months, and we will inform you of any such extension.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption of data at rest (AES-256) and in transit (TLS 1.3);
• Password hashing using Argon2;
• Role-based access controls and the principle of least privilege;
• Regular security assessments and vulnerability testing;
• Comprehensive audit logging of all access to personal data.

11. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.

12. Children's Privacy

Delta Forge is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at privacy@deltaforge.io and we will take steps to delete such data.

13. Complaints

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with a supervisory authority. In the United Kingdom, the relevant authority is:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113

If you are located in the European Economic Area, you may also lodge a complaint with your local data protection authority.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or by placing a prominent notice on our website prior to the change becoming effective. We encourage you to review this page periodically.

15. Contact Us

If you have any questions or concerns about this Privacy Policy, or wish to exercise your data protection rights, please contact us:

Data Protection Officer
Hypothesi Ltd (trading as Delta Forge)
Email: privacy@deltaforge.io